Jump to content
Not connected, Your IP: 3.16.207.33
AirVPN
blank90

ANSWERED AEAD Decrypt Error: bad packet ID (may be a replay):

By blank90, ... in Troubleshooting and Problems

Recommended Posts

blank90    3

blank90
Posted ...

I have this repeating in my logs. What is the significance? Packet loss on this server? Currently connected to Imai in San Jose, CA, USA.

I read: "Generally, you can ignore this message, if it only happens once in a while."

Share this post

Link to post

Staff    9968

Staff
Posted ...
2 hours ago, blank90 said:

have this repeating in my logs. What is the significance? Packet loss on this server? Currently connected to Imai in San Jose, CA, USA.


Hello!

The most common causes are a "dirty" line and an MTU related problem. Less frequently it's a replay attack. Please try to get a stronger WiFi signal, change WiFi channel, test a different Ethernet cable, make sure that network interface driver and router firmware are both up to date. For the second cause try to adjust network interface MTU down to 1280 bytes if you use WireGuard, or add mssfix directive if you run OpenVPN (try for example mssfix 1280).

Kind regards
 
blank90 reacted to this

Share this post

Link to post

blank90    3

blank90
Posted ...
On 5/30/2024 at 2:12 AM, Staff said:

Hello!

The most common causes are a "dirty" line and an MTU related problem. Less frequently it's a replay attack. Please try to get a stronger WiFi signal, change WiFi channel, test a different Ethernet cable, make sure that network interface driver and router firmware are both up to date. For the second cause try to adjust network interface MTU down to 1280 bytes if you use WireGuard, or add mssfix directive if you run OpenVPN (try for example mssfix 1280).

Kind regards
 

Also, what happens if it is a replay attack? Could my credentials to accounts be compromised?

Share this post

Link to post

Staff    9968

Staff
Posted ...
8 hours ago, blank90 said:

Also, what happens if it is a replay attack? Could my credentials to accounts be compromised?


Hello!

No, they can't: OpenVPN and WireGuard are invulnerable to replay attacks in real life. Nevertheless a massive replay attack can dramatically slow down the VPN tunnel throughput because of the massive amount of packets that need to be dropped and re-sent.

Kind regards
 
blank90 reacted to this

Share this post

Link to post

Air4141841    24

Air4141841
Posted ...

before I moved to instances with opnsense I could mute the messages instead of it creating pages and pages and pages of logs on my router.
now I no longer have that ability as there is no advanced configuration area anymore.

I've opened a few tickets.   nothing suggested resolves this.      

--mute-replay-warnings

https://openvpn.net/community-resources/reference-manual-for-openvpn-2-5/

 

Share this post

Link to post

Staff    9968

Staff
Posted ...
@Air4141841

Hello!

By muting the entries you would hide the problem but wouldn't solve it. Try with mssfix 1280 directive. It will tell OpenVPN to split TCP packets inside the UDP tunnel larger than 1280 bytes; if the problem is related to MTU this directive alone can greatly mitigate or solve it altogether.

Kind regards
 

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...